diff --git a/src/pngchunk_int.cpp b/src/pngchunk_int.cpp
index 755872c9..9b3faf1a 100644
--- a/src/pngchunk_int.cpp
+++ b/src/pngchunk_int.cpp
@@ -606,11 +606,6 @@ namespace Exiv2 {
     DataBuf PngChunk::readRawProfile(const DataBuf& text,bool iTXt)
     {
         DataBuf                 info;
-        register long           i;
-        register unsigned char *dp;
-        const char             *sp;
-        unsigned int            nibbles;
-        long                    length;
         unsigned char           unhex[103]={0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,0, 0,0,0,0,0,0,0,0,0,0,
                                             0,0,0,0,0,0,0,0,0,1, 2,3,4,5,6,7,8,9,0,0,
@@ -627,8 +622,7 @@ namespace Exiv2 {
             return  info;
         }
 
-
-        sp = (char*)text.pData_+1;
+        const char *sp = (char*)text.pData_+1;
         int pointerPos = 1;
 
         // Look for newline
@@ -638,20 +632,30 @@ namespace Exiv2 {
             pointerPos++;
         }
 
+        // Look for length
+        while ((*sp == '\0' || *sp == ' ' || *sp == '\n') && pointerPos < (text.size_ - 1))
+        {
+            sp++;
+            pointerPos++;
+        }
+
         if (pointerPos == (text.size_ - 1))
         {
             return DataBuf();
         }
 
-        // Look for length
+        long length = (long) atol(sp);
 
-        while (*sp == '\0' || *sp == ' ' || *sp == '\n')
+        while (*sp != ' ' && *sp != '\n' && pointerPos < (text.size_ - 1))
+        {
             sp++;
+            pointerPos++;
+        }
 
-        length = (long) atol(sp);
-
-        while (*sp != ' ' && *sp != '\n')
-            sp++;
+        if (pointerPos == (text.size_ - 1))
+        {
+            return DataBuf();
+        }
 
         // Allocate space
 
@@ -674,10 +678,10 @@ namespace Exiv2 {
 
         // Copy profile, skipping white space and column 1 "=" signs
 
-        dp      = (unsigned char*)info.pData_;
-        nibbles = length * 2;
+        unsigned char *dp = (unsigned char*)info.pData_;
+        unsigned int nibbles = length * 2;
 
-        for (i = 0; i < (long) nibbles; i++)
+        for (long i = 0; i < (long) nibbles; i++)
         {
             while (*sp < '0' || (*sp > '9' && *sp < 'a') || *sp > 'f')
             {
diff --git a/test/data/issue_428_poc3.png b/test/data/issue_428_poc3.png
new file mode 100644
index 00000000..ae6fa0a7
Binary files /dev/null and b/test/data/issue_428_poc3.png differ
diff --git a/test/data/issue_428_poc4.png b/test/data/issue_428_poc4.png
new file mode 100644
index 00000000..03d689c5
Binary files /dev/null and b/test/data/issue_428_poc4.png differ
diff --git a/tests/bugfixes/github/test_issue_428.py b/tests/bugfixes/github/test_issue_428.py
index 82162520..e161a527 100644
--- a/tests/bugfixes/github/test_issue_428.py
+++ b/tests/bugfixes/github/test_issue_428.py
@@ -9,15 +9,17 @@ class PngReadRawProfile(metaclass=system_tests.CaseMeta):
 
     filenames = [
         system_tests.path("$data_path/issue_428_poc1.png"),
-        system_tests.path("$data_path/issue_428_poc2.png")
+        system_tests.path("$data_path/issue_428_poc2.png"),
+        system_tests.path("$data_path/issue_428_poc3.png"),
+        system_tests.path("$data_path/issue_428_poc4.png"),
     ]
 
     commands = ["$exiv2 " + fname for fname in filenames]
-    stdout = [""] * 2
+    stdout = [""] * len(filenames)
     stderr = [
         """$exiv2_exception_message """ + fname + """:
 $kerFailedToReadImageData
 """
         for fname in filenames
     ]
-    retval = [1] * 2
+    retval = [1] * len(filenames)